First Last Prev Next    This bug is not in your last search results.
Bug 55150 - AD-Connector fails sync, missing match filter, but all filter criterias are fulfilled [5.0]
AD-Connector fails sync, missing match filter, but all filter criterias are f...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-2-errata
Assigned To: Iván.Delgado
Arvid Requate
https://git.knut.univention.de/univen...
:
Depends on: 37351 52263
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-31 07:54 CEST by Iván.Delgado
Modified: 2022-09-08 11:43 CEST (History)
10 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Iván.Delgado univentionstaff 2022-08-31 07:54:12 CEST 
+++ This bug was initially created as a clone of Bug #52263 +++

univention-app info
UCS: 4.4-6 errata776
Installed: adconnector=12.0 itslearning=3.2 self-service=4.0 self-service-backend=4.0 ucs-to-school-transformer=1.3.2 ucsschool=4.4 v7 ucsschool-kelvin-rest-api=1.1.1
Upgradable: ucsschool-kelvin-rest-api


AD-Connector is in sync mode

Some users are not synced correctly from AD to UCS, because the AD-Connector reports a missing valid match filter, but all mandatory attributes are present (and thousands of other users are synced correctly in this environment). We were not able to detect any differences between rejected users and not rejected users, because they are all created the same way in AD.
Comment 1 Iván.Delgado univentionstaff 2022-09-02 12:25:07 CEST 
When objects where changed in Microsoft Active Directory, the AD-Connector checked if the object should be ignored. The decision is based on three criteria, `match_filter`, `ignoresubtree` and the `ignorelist` from which the `ignore_filter` is constructed. Since Bug 37351 has been fixed in `errata4.0-1` this check is not only applied to the new object, but also to the object existing in UDM, which represents the old state at the time of sync. In scenarios where an object is present in UDM and Microsoft Active Directory but matches the `ignore_filter` this had the negative side effect, that the AD object would still be ignored even if the administrator changed an attribute in a way that the new object did not match the `ignore_filter` any longer. This affected user objects.
This problem has been fixed by restricting the change for Bug 37351 to apply only to ojects matching the criteria of a `windowscomputer`, as these don't have an `ignore_filter`.

univention-ad-connector.yaml
cbcac1dc836c | Bug #55150: Update advisory
463085bf4f29 | Bug #55150: Update changelog and advisory

univention-ad-connector (14.0.10-6)
463085bf4f29 | Bug #55150: Update changelog and advisory

univention-ad-connector (14.0.10-5)
8f3a35acdaf7 | Bug #55150: check it property_type is "windowscomputer" before check _ignore_object

ucs-test (10.0.7-22)
69dcef6aeb21 | Bug #55150: Update changelog

ucs-test (10.0.7-21)
be3495dc8577 | Bug #55150: Create new ucs-test to check this bug

univention-ad-connector 14.0.10-6A~5.0.0.202209021201
ucs-test 10.0.7-22A~5.0.0.202209021205
Comment 2 Arvid Requate univentionstaff 2022-09-05 11:25:01 CEST 
Verified:
* Code review
* Package update
* Functional test (with the new testcase)
* Advisory
First Last Prev Next    This bug is not in your last search results.